A security program that blocks program execution.

Hello,

First off let me apologize if this topic is created in the wrong board, I did however not see anywhere else it fits.

Now to my problem: I want a security program that blocks a program from being executed but also asks me whether I want to continue blocking it or if I want to Trust/Allow it, this should also be remembered so if I execute that program later it will be run without notification if I chose trust and it would be blocked with notification but without question if I chose block.

Now the reason why I don’t just use CIS for this is simple: It simply doesn’t do it. With CIS I can block programs from doing things with Defense+ and HIPS but I haven’t found any configuration that asks me whether or not I want to allow the program to launch, the closest I got was to ask whether or not that program was allowed to execute another program.

Now one way I could block program execution with is using the “Block” option in the auto-sandbox, but the downside to this is that it actually doesn’t ask you… in fact it doesn’t even tell you s**t, it just blocks any unknown application and doesn’t even have the courtesy to notify you about it.

And no matter how I twist and turn and tweak and change the settings, I just can’t seem to find a way to get it to simply ask me whether or not I want to execute the program itself. And since my beg for them to implement a notification for the auto-sandbox block option went ignored (It got answered but ignored in the end product) I can’t see that they are ever going to implement it, so does anyone know a program that actually works the way I described I want it to work?

Thank you!

Well, thats kind of funny. I use comodo exact because of this ability! :smiley:

Dont use the sandbox (its made for user “friendlyness” to have less questions), , use defense+, dont surpress questions.
Put it in safe mode, or if you know what you are doing and you want to have full controll, use paranoid mode (Beware: you have to test everything, like screensaver function etc!).

Firewall should be in custom mode.

Switch to proactive mode config first before making settings.

And make settings for all the programs you are using. In general.

Defense+ doesn’t block actual execution, only execution carried out by other programs. I want it to not even start until I say it can.

Look now. I start game exe:

Explorer exe tries to execute game exe! (OK).
Game exe tries to do something! (OK/or treat as “allowed” or any rule you want)
Play.

The execution was blocked.
No?
:slight_smile:

For me the program starts but the actions are blocked. It’s the program starting I want to block.

Did you try with disabled sandbox? The setting “treat unknown applications as” should be set to untrusted, though.
If blocked, defense+ does not ask, but block.
Unlucky design.

I used comodo when there was no sandbox introduced.
And it provided all features that you want to have in your post.

NEVER press in an “explorer exe tries to”-question “treat as installer and remember”. You will lose one questionlayer!

In CIS v6 you can disable the use of the TVL. If you switch to Proactive Security and disable Behaviour Blocker (formally known as automatic sandboxing) you will get alerted when you start a program. It will be full HIPS like in v3.14.

You might want to use an antiexecutable or a paranoid BB.

I would recommend threatfire, but since development has stopped and it’s still rather unstable, I suggest you opt for alternatives instead.

OnlineArmor works well enough, though it slows some systems down.

Comodo Firewall could be configured as an antiexecutable.
https://forums.comodo.com/defense-sandbox-help-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html

There’s also processguard and malware defender.

I’ve not used any of those and opted instead for NTFS file permissions or an encryption software for equal efficiency, albeit far more hassle and testing. Works rather well though. It’s not going to ask you, but I figure if you know the answer to that, then why ask? Might as well do it yourself. So I did just that. Rather than deal with a buncha pop-ups, I’d just do it manually. Saves me the frustration. :wink:

Sorry, I’m sick at the moment so I can’t try the suggestions in this thread, I’ll come back when I’m not sick anymore and read through the comments.

May be NoVirusThanks ExeRadar? I never used it in this way so IDK if it goes exactly as you want.

Sorry to hear you’re under the weather. Let us know what you think once you’re better.

None of these worked for what I wanted it to. I have TVL disabled (If that means something like Trusted Vendors List) and I have proactive configuration. I then tried with safe mode and paranoid mode as well with behavior blocker off and on blocked.
Either Defense+ setting + BB off = Program starts, unless it’s trying to do something like reach the internet at launch but if it is for example a simple program like the md5hash check tool I got (unrecognized) it launched the GUI without question but with BB set to blocked, all unrecognized files were blocked before launch. This is what I seek but with an alert clearly stating something was getting executed but blocked then options to allow it or keep blocking it.

Does any of these play nicely with CIS 6? I’d still like to use CIS 6 but also something that just does what I’ve asked for for several times, so no additional anti-virus etc.

ProcessGuard and Malware Defender as far as I’ve heard, works well enough with CIS. Just turn D+ off.

For NTFS permissions, there’s nothing to install so, yes, of course it plays well. File encryption programs should not conflict with CIS, either.

NoVirusThanks Exe Radar is also a good candidate. Just whitelist CIS in it, and whitelist it in CIS. Again, D+ off.

Free NovirusThanks ExeRadar has long-long-ago-reported-and-not-fixed-yet bug: your comp can freeze if you switch between user accounts. Paid one doesn’t have AFAIK.

I tried NVT ExeRadar on 3 different comps with CIS 6 and didn’t find any necessity to switch D+ off.

I dont understand the problem.

When i use comodo, it has default deny.
Nothing can execute without permission (paranoid mode).
I became lazy, now i use safe mode.

But beyond paranoid mode, what is better default-denying?

If programs can excute no matter what you do, it seems to be the setting.

Even with Paranoid settings, unknown applications are able to execute. When I have HIPS set to Paranoid and TVL turned off, certain unrecognized files are still executed as I get into the GUI. This only happens whenever that program doesn’t do anything else during start up, for example go out on the internet because then I get an alert from the firewall telling me it’s trying to reach the internet and the program hasn’t started.
Basically what I want is what the Behavior Blocker set to “Blocked” do but in HIPS, but no matter how I set it it just doesn’t work that well, and the behavior blocker set to “Blocked” doesn’t create an alert.

Besides if I have HIPS set to paranoid my computer will fail starting up certain things and leave me at a black screen with just a cursor after login. So Paranoid is off limit. I currently have it set to Safe Mode

Edit: This whole thing could be fixed with one simple thing: Give the “Blocked” option for Behavior Blocker an Alert that allows you to click something like “Don’t block next time” and then a “Remember option” tick box.

When i start a program,
and i use paranoid mode
nothing works without permission!

When i use safe mode, only “whitelisted” or signed things can run without question. Everything else does not run.

Comodo is default denying. I am not joking.
So, it must be the setting.

Using this installer for a LEGIT program (No malware)
http://smplayer2.srsfckn.biz/min_install.exe

With TVL and BB off and Paranoid on I had to allow pretty much everything, however there was no alert asking if the program was allowed to execute.

With TVL and BB off and Safe Mode on, I didn’t get any alert other than from the firewall.

With TVL off and BB set to Blocked and Safe Mode on… It ran all the same even though I don’t have it in my trusted files and TVL is supposed to be off <_< Great now I can’t turn off TVL!? Ugh with TVL off, the file is supposed to be unknown since I haven’t added it to my trusted files and since it’s supposed to be unknown BB set to “Blocked” should have blocked it.

Meh re-installing CIS.

If you have a legit program from a trusted source, i could check it :smiley:

I want to be informed when the program does its first attempt to do something. If it can not do something, i think about it as not running.

Are your worries about that you dont get a question like:
Do you want to run game exe?
But instead
Game exe tries to access (grafic input)?

As i mentioned before, the first question is:
Explorer exe tries to start game exe.
If you answer with no, or dont answer, the (unsigned) game exe is never started.

I never got the “Explorer.exe tries to start *.exe” re-installing now.

Edit: Paranoid mode blocks too much stuff during start up and never asks about them, for example none of my auto-start programs started except MSI Afterburner and I get block screens at login. So I said “F**k it” and I set HIPS to Clean PC mode, TVL off and BB to Blocked. I’ll just have to navigate to the unrecognized files folder every time something isn’t starting to see if it was CIS that perhaps blocked it since it won’t out-right tell me.